Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124619 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 2C8011A00B7 for ; Fri, 26 Jul 2024 14:48:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1722005393; bh=idnwXJeOiG670U5guHb8wULY+m18kNtUvufPONIiYMs=; h=In-Reply-To:References:Date:From:To:Subject:From; b=JypvZgktOesG5x63DNBwDNQGfHybjPo6yjKSdmQyIqRlenxkLVP9j0gic2wRqYcKY YfMJOZmAoFR0HCu3xuOFMW0wvxiounK6cCO3o/XyvIY/wIQabuvW5pZqhDebTRih1d FkEKcBi6/cGZ3Ab6hxD0VN8Ldj9VopkvR4b0IcUbQb7iY33M5qbIgpfGfxZIb6T4oP vg3ltEap1fA1nGgHujVGyHHH7VSGvPJ3IF0NlUd3cr/UOYME/QQNi1+hVDm30UANgD 8WnQymQEiFF7MspXylQpH/PzZGxj4DI2GCzOZTF+OGbmPR6kSpx2NJlcxxWw1orsH3 EUrlQBJlTxLyg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 3E604180039 for ; Fri, 26 Jul 2024 14:49:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from fout7-smtp.messagingengine.com (fout7-smtp.messagingengine.com [103.168.172.150]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 26 Jul 2024 14:49:51 +0000 (UTC) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfout.nyi.internal (Postfix) with ESMTP id 613E81380191 for ; Fri, 26 Jul 2024 10:48:15 -0400 (EDT) Received: from imap49 ([10.202.2.99]) by compute3.internal (MEProxy); Fri, 26 Jul 2024 10:48:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1722005295; x=1722091695; bh=idnwXJeOiG 670U5guHb8wULY+m18kNtUvufPONIiYMs=; b=rHpe4MjAKddopdGj6yzs6TZzWL XHkGbaNp3DKUHY7Y0fHDgKKGJyn98feodzm85OmOBxPdsi0/mgo0YnXih0N1jCNL iGLI07eCeGZtMHS9Q5wHaft1eEZwVpq+HHnnJ3VQ/9yceCn+N7jI2NVpDPH0VXLU A/zmc57krx57un9/QbfJ9Kdm2aQ0lOJmJHBVP02uyIxiASV1b2bfWXbKQJtgyYBY fwIIo/xMjSmTo1JQXoBT9JztWEhg6lrVhTMZG0MxYiVUWiPPmwJl0yWu6osKwUeK PIcmpWWUcsL1RfwcHbS8p0mQjyiIgab12Zl3cuLGvh9CuXzos6SOPePxauXw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1722005295; x=1722091695; bh=idnwXJeOiG670U5guHb8wULY+m18 kNtUvufPONIiYMs=; b=RUyqxgyvgjH61nnh+nw9P8Ua3EHZlbWkfJCMe1VZcedR Ud0Qzlck32BYJ2ZacPFaawLc4csmPsggWUvwNLOLQS/bwQv/qKJt9U+SZO3g0pPT q1tEPSE+lJgC4iCZdbhzAtZcJt+BEcqGH2TJB1wd4fN745WBJOZ1Z++LXmdoRB6V NHr502aUtX0/e3j9syOGBnIA+aKk+q4FGT00QE7vqw/wvYCPkvF8HGkR0kRikH0S b/tcKsoCDXWYhJJulCrCqdoCCPReieY7Jxn8FQYbv8D6WjBBua1+R8dd3PowQmWL xIPQx4ValZn6RdlfBw5A6RTcnIIscxgJ+ffVDza5mQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrieehgdekvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesrgdtre erreerjeenucfhrhhomhepfdftohgsucfnrghnuggvrhhsfdcuoehrohgssegsohhtthhl vggurdgtohguvghsqeenucggtffrrghtthgvrhhnpeeffeduhfduudeikeekudfghfdugf eljefgkeeghfdvieekledvvdejheetgeetgeenucevlhhushhtvghrufhiiigvpedtnecu rfgrrhgrmhepmhgrihhlfhhrohhmpehrohgssegsohhtthhlvggurdgtohguvghspdhnsg gprhgtphhtthhopedt X-ME-Proxy: Feedback-ID: ifab94697:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0F05315A0092; Fri, 26 Jul 2024 10:48:15 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.11.0-alpha0-582-g5a02f8850-fm-20240719.002-g5a02f885 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 Message-ID: <87f6eaed-e07e-45a5-abd0-19c3152fe818@app.fastmail.com> In-Reply-To: References: <1a88918e-e808-d778-45e1-53797660e093@php.net> <9041cba85d6439682bb44fcb29210c944dbe3911.camel@ageofdream.com> <66A2D544.5060801@adviesenzo.nl> Date: Fri, 26 Jul 2024 16:47:52 +0200 To: internals@lists.php.net Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 Content-Type: multipart/alternative; boundary=efaf06c36ddd44e3bfea1cd3910fe022 From: rob@bottled.codes ("Rob Landers") --efaf06c36ddd44e3bfea1cd3910fe022 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable On Fri, Jul 26, 2024, at 08:44, Rowan Tommins [IMSoP] wrote: >=20 >=20 > On 25 July 2024 23:54:53 BST, Nick Lockheart wr= ote: > >Doesn't password_hash() handle this automatically? The result of the > >password_hash() function includes the hash and the algorithm used to > >hash it. That way password_verify() magically works with the string > >that came from password_hash(). >=20 > For password hashing, you are always retrieving the hash for a specifi= c user, and then making a yes/no decision about it. Indeed, it's an expl= icit aim that an attacker can't take a password and quickly scan a captu= red database for matching hashes. You=E2=80=99d be surprised how many projects get this wrong and claim it= isn't a security issue. If you can get the hashes, you likely have the = ability to run arbitrary sql commands and since password_hash stores the= salt right in the hash, you just need to crack one easy to guess passwo= rd -- or just run password_hash on your machine ... then copy it to what= ever user you want to login as. Very few php projects salt the passwords= with something application/user specific (see: symfony's legacy passwor= d implementation which does, and new one which does not; and yes I repor= ted it, and yes, it "isn't a security issue") to prevent this from happe= ning. There are other bad defaults, such as pdo_mysql allowing more than one s= ql statement (but all other drivers not -- and mysqli is also not)... ma= king it even easier to open yourself up to getting hacked if you use pdo= with mysql; allowing a single injection to be used to insert/update or = even drop tables. Security is something hard to get right, for any language and framework.= PHP isn't an exception here; you have to pay attention to what you are = doing and think like an attacker, every step of the way. >=20 > For other uses of hashes, though, the opposite is true: you want to se= arch for matching hashes. For instance, when you store a file in git, it= calculates the SHA1 hash of its content to use as a lookup key. If that= key already exists in the local database, it assumes the content is the= same. >=20 > That also demonstrates another difference: hashes are often shared bet= ween applications, where they need to be using an agreed algorithm. If a= package manager requires SHA1 hashes of each file, you can't just subst= itute SHA256 hashes without some other agreed changes. >=20 > Tempting though a "secure_hash" function is, I don't think it's practi= cal for a lot of the places hashing is used. I think we can borrow from a recent RFC to return more than one thing: secure_hash($data, $algorithm =3D null): [$algorithm, $hash, $updated_al= gorithm, $updated_hash]; if you pass in an algorithm, it has to have been considered "secure" wit= hin the last two major versions*, it also returns an optional "updated" = part, where it can be used to update the hash in your database, if neede= d. =E2=80=94 Rob --efaf06c36ddd44e3bfea1cd3910fe022 Content-Type: text/html;charset=utf-8 Content-Transfer-Encoding: quoted-printable

=

On Fri, Jul 26, 2024, at 08:44, Rowan Tommins [IMSoP= ] wrote:

On 25 July 2024 23:54:53 BST, Nick Lockheart= <lists@ageofdream.com>= ; wrote:
>Doesn't password_hash() handle this automatic= ally? The result of the
>password_hash() function inclu= des the hash and the algorithm used to
>hash it. That w= ay password_verify() magically works with the string
>t= hat came from password_hash().

For password= hashing, you are always retrieving the hash for a specific user, and th= en making a yes/no decision about it. Indeed, it's an explicit aim that = an attacker can't take a password and quickly scan a captured database f= or matching hashes.

You=E2=80=99= d be surprised how many projects get this wrong and claim it isn't a sec= urity issue. If you can get the hashes, you likely have the ability to r= un arbitrary sql commands and since password_hash stores the salt right = in the hash, you just need to crack one easy to guess password -- or jus= t run password_hash on your machine ... then copy it to whatever user yo= u want to login as. Very few php projects salt the passwords with someth= ing application/user specific (see: symfony's legacy password implementa= tion which does, and new one which does not; and yes I reported it, and = yes, it "isn't a security issue") to prevent this from happening.

There are other bad defaults, such as pdo_mysql a= llowing more than one sql statement (but all other drivers not -- and my= sqli is also not)... making it even easier to open yourself up to gettin= g hacked if you use pdo with mysql; allowing a single injection to be us= ed to insert/update or even drop tables.

Se= curity is something hard to get right, for any language and framework. P= HP isn't an exception here; you have to pay attention to what you are do= ing and think like an attacker, every step of the way.

For other uses of hashes, though, the opposite is true: you want to se= arch for matching hashes. For instance, when you store a file in git, it= calculates the SHA1 hash of its content to use as a lookup key. If that= key already exists in the local database, it assumes the content is the= same.

That also demonstrates another diffe= rence: hashes are often shared between applications, where they need to = be using an agreed algorithm. If a package manager requires SHA1 hashes = of each file, you can't just substitute SHA256 hashes without some other= agreed changes.

Tempting though a "secure_= hash" function is, I don't think it's practical for a lot of the places = hashing is used.

I think we ca= n borrow from a recent RFC to return more than one thing:
=
secure_hash($data, $algorithm =3D null): [$algorithm, $ha= sh, $updated_algorithm, $updated_hash];

if = you pass in an algorithm, it has to have been considered "secure" within= the last two major versions*, it also returns an optional "updated" par= t, where it can be used to update the hash in your database, if needed.<= br>

=E2=80=94 Rob
= --efaf06c36ddd44e3bfea1cd3910fe022--